Bug 1415619: Add a separate trust-domain to cached tasks. r=dustin,gps

This allows firefox and thunderbird builds to avoid using each others bits. MozReview-Commit-ID: KYQYDd2tkGj --HG-- extra : rebase_source : 42f1d13ec609f066cb3bd3050ed894296b72d982
2017-11-09 17:15:29 -07:00 · 2017-11-09 17:15:29 -07:00 · dd4df1aec9
--- a/taskcluster/ci/config.yml
+++ b/taskcluster/ci/config.yml
@ -1,3 +1,4 @@
+trust-domain: gecko
 treeherder:
    group-names:
        'cram': 'Cram tests'
--- a/taskcluster/docs/docker-images.rst
+++ b/taskcluster/docs/docker-images.rst
@ -105,8 +105,8 @@ Example:
 Each image has a repo digest, an image hash, and a version. The repo digest is
 stored in the ``HASH`` file in the image directory  and used to refer to the
 image as above.  The version is in ``VERSION``.  The image hash is used in
-chain-of-trust verification in `scriptworker
-<https://github.com/mozilla-releng/scriptworker>`_.
+`chain-of-trust verification <http://scriptworker.readthedocs.io/en/latest/chain_of_trust.html>`
+in `scriptworker <https://github.com/mozilla-releng/scriptworker>`_.

 The version file only serves to provide convenient names, such that old
 versions are easy to discover in the registry (and ensuring old versions aren't
--- a/taskcluster/docs/taskgraph.rst
+++ b/taskcluster/docs/taskgraph.rst
@ -169,3 +169,17 @@ using simple parameterized values, as follows:
    Multiple labels may be substituted in a single string, and ``<<>`` can be
    used to escape a literal ``<``.

+.. _taskgraph-trust-domain:
+
+Trust Domain
+------------
+
+When publishing and signing releases, that tasks verify their definition and
+all upstream tasks come from a decision task based on a trusted tree. (see
+`chain-of-trust verification <http://scriptworker.readthedocs.io/en/latest/chain_of_trust.html>`).
+Firefox and Thunderbird share the taskgraph code and in particular, they have
+separate taskgraph configurations and in particular distinct decision tasks.
+Although they use identical docker images and toolchains, in order to track the
+province of those artifacts when verifying the chain of trust, they use
+different index paths to cache those artifacts. The ``trust-domain`` graph
+configuration controls the base path for indexing these cached artifacts.
--- a/taskcluster/taskgraph/config.py
+++ b/taskcluster/taskgraph/config.py
@ -8,6 +8,9 @@ from .util.schema import validate_schema, Schema
 from voluptuous import Required

 graph_config_schema = Schema({
+    # The trust-domain for this graph.
+    # (See https://firefox-source-docs.mozilla.org/taskcluster/taskcluster/taskgraph.html#taskgraph-trust-domain)  # noqa
+    Required('trust-domain'): basestring,
    Required('treeherder'): {
        # Mapping of treeherder group symbols to descriptive names
        Required('group-names'): {basestring: basestring}
--- a/taskcluster/taskgraph/docker.py
+++ b/taskcluster/taskgraph/docker.py
@ -30,7 +30,12 @@ def load_image_by_name(image_name, tag=None):
    context_hash = docker.generate_context_hash(GECKO, context_path, image_name)

    index_path = cached_index_path(
-        level=3, cache_type='docker-images.v1', cache_name=image_name, digest=context_hash)
+        trust_domain='gecko',
+        level=3,
+        cache_type='docker-images.v1',
+        cache_name=image_name,
+        digest=context_hash,
+    )
    task_id = find_task_id(index_path)

    return load_image_by_task_id(task_id, tag)
--- a/taskcluster/taskgraph/util/cached_tasks.py
+++ b/taskcluster/taskgraph/util/cached_tasks.py
@ -9,11 +9,11 @@ import time


 TARGET_CACHE_INDEX = (
-    'gecko.cache.level-{level}.{type}.{name}.hash.{digest}'
+    '{trust_domain}.cache.level-{level}.{type}.{name}.hash.{digest}'
 )
 EXTRA_CACHE_INDEXES = [
-    'gecko.cache.level-{level}.{type}.{name}.latest',
-    'gecko.cache.level-{level}.{type}.{name}.pushdate.{build_date_long}',
+    '{trust_domain}.cache.level-{level}.{type}.{name}.latest',
+    '{trust_domain}.cache.level-{level}.{type}.{name}.pushdate.{build_date_long}',
 ]


@ -42,6 +42,7 @@ def add_optimization(config, taskdesc, cache_type, cache_name, digest=None, dige
        digest = hashlib.sha256('\n'.join(digest_data)).hexdigest()

    subs = {
+        'trust_domain': config.graph_config['trust-domain'],
        'type': cache_type,
        'name': cache_name,
        'digest': digest,
@ -68,12 +69,13 @@ def add_optimization(config, taskdesc, cache_type, cache_name, digest=None, dige
    ])


-def cached_index_path(level, cache_type, cache_name, digest=None, digest_data=None):
+def cached_index_path(level, trust_domain, cache_type, cache_name, digest=None, digest_data=None):
    """
    Get the index path needed to locate the task that would be created by
    :func:`add_optimization`.

    :param int level: The SCM level of the task to look for.
+    :param str trust_domain: The trust domain to look for the task in.
    :param str cache_type: The type of task result being cached.
    :param str cache_name: The name of the object being cached.
    :param digest: A unique string indentifying this version of the artifacts
@ -92,4 +94,4 @@ def cached_index_path(level, cache_type, cache_name, digest=None, digest_data=No
        digest = hashlib.sha256('\n'.join(digest_data)).hexdigest()

    return TARGET_CACHE_INDEX.format(
-        level=level, type=cache_type, name=cache_name, digest=digest)
+        trust_domain=trust_domain, level=level, type=cache_type, name=cache_name, digest=digest)